| CARVIEW |
Securing Splunk Enterprise
- Install Splunk Enterprise securely
- Secure your admin account
- About TLS encryption and cipher suites
- Securing Splunk Enterprise with FIPS
- About default certificate authentication
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Some best practices for your servers and operating system
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- About defining roles with capabilities
- Add and edit roles with Splunk Web
- Add and edit roles with authorize.conf
- Configure access to manager consoles and apps in Splunk Enterprise
- Find existing users and roles
- Delete all user accounts
- Secure access for Splunk knowledge objects
- Use network access control lists to protect your deployment
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure LDAP with the configuration file
- Map LDAP groups and users to Splunk roles using configuration files
- Test your LDAP configuration on Splunk Enterprise
- Change authentication schemes from native to LDAP on Splunk Enterprise
- Remove an LDAP user safely on Splunk Enterprise
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates
- Configuring SAML in a search head cluster
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Configure SAML SSO in the configuration files
- Troubleshoot SAML SSO
- Can I configure the source in the inputs.conf file...
- After configuring LDAP authentication with Active ...
- LDAP Configuration, Invalid credentials issue.
- Splunk Support for Active Directory: How to config...
- Splunk Supporting Add-on for Active Directory Mult...
- Why am I now getting "SSL configuration issue: inv...
- Configuring Splunk Supporting Add-on for Active Di...
- Splunk and OpenLDAP: Is there a setting in authent...
- Has anybody been successful with configuring the S...
- Unable to save SA-ldapsearch configuration despite...
Configure LDAP with the configuration file
As an alternative to using Splunk Web to configure LDAP, you can directly edit the authentication.conf file.
This example steps you through the process of setting up authentication.conf. If you prefer to configure LDAP with Splunk Web, see Configure LDAP with Splunk Web.
Note: If you configure LDAP authentication and decide later to return to using the default Splunk authentication, the simplest way is to move the existing authentication.conf file out of the way (for example, by renaming it to authentication.conf.disabled) and restart Splunk Enterprise.
You can see some more examples at the end of the authentication.conf spec file.
Edit authentication.conf in $SPLUNK_HOME/etc/system/local/. For information on configuration files in general, see About configuration files In the Admin Manual.
Set authentication type and strategy name(s)
By default, Splunk Enterprise uses Splunk authentication. Change the type to LDAP in the [authentication] stanza:
[authentication]
authType = LDAP
authSettings = ldaphost1,ldaphost2
Note the following:
- Turn on LDAP by setting
authType = LDAP. - The
authSettingsattribute identifies one or more LDAP strategies. Each strategy has its own stanza.
Configure LDAP strategy stanzas
Each LDAP strategy needs its own stanza. Map the LDAP values to attribute/value pairs in the strategy's stanza.
Note: Splunk Enterprise does not support IPv6 address formats for Windows.
Here's an example stanza for the "ldaphost1" strategy, specified earlier in the authSettings attribute:
[ldaphost1] host = ldaphost1.domain.com port = 389 SSLEnabled = 0 bindDN = cn=bind_user bindDNpassword = bind_user_password groupBaseDN = ou=Groups,dc=splunk,dc=com groupBaseFilter = (objectclass=*) groupMappingAttribute = dn groupMemberAttribute = uniqueMember groupNameAttribute = cn realNameAttribute = displayName userBaseDN = ou=People,dc=splunk,dc=com userBaseFilter = (objectclass=*) userNameAttribute = uid
Note: For best results when integrating Active Directory, place your Group Base DN in a separate hierarchy than the User Base DN.
SSL
If you have enabled SSL for your LDAP strategy, make sure the following minimum settings are present in ldap.conf
TLS_REQCERT demand TLS_CACERT <path to cert, for example: /opt/splunk/etc/auth/LDAProotcert.crt> TLS_CIPHER_SUITE <your cipher suite>
Configure multiple LDAP strategies
Splunk Enterprise can search across multiple LDAP servers, as described in How Splunk works with multiple LDAP servers. To configure this, set the authSettings attribute to a comma-separated list of all strategies, in the order in which you want Splunk Enterprise to query them. Then, specify separate stanzas for each strategy.
Map groups to roles
To map Splunk roles to a strategy's LDAP groups, you need to set up a roleMap stanza for that strategy. Each strategy requires its own roleMap stanza. This example maps roles for groups in the "ldaphost1" strategy. The syntax is <Splunk RoleName> = <LDAP group string>:
[roleMap_ldaphost1] admin = SplunkAdmins itusers = ITAdmins
Map users directly to roles
If you need to map users directly to Splunk roles, you can do so by setting the groupBaseDN to the value of userBaseDN. Also, set the attributes for groupMappingAttribute, groupMemberAttribute, and groupNameAttribute to the same attribute as userNameAttribute. For example:
[supportLDAP] SSLEnabled = 0 bindDN = cn=Directory Manager bindDNpassword = ######### groupBaseDN = ou=People,dc=splunksupport,dc=com groupBaseFilter = (objectclass=*) groupMappingAttribute = uid groupMemberAttribute = uid groupNameAttribute = uid host = supportldap.splunksupport.com port = 389 realNameAttribute = cn userBaseDN = ou=People,dc=splunksupport,dc=com userBaseFilter = (objectclass=*) userNameAttribute = uid [roleMap_supportLDAP] admin = rlee;bsmith
| Map LDAP groups to Splunk roles in Splunk Web | Map LDAP groups and users to Splunk roles using configuration files |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10
Comments
Download manual
Configure LDAP with the configuration file
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Feedback submitted, thanks!